MySEF is one of the licensed evaluation facilities under the Malaysian Common Criteria Evaluation & Certification (MyCC) Scheme. It provides expertise in security evaluation of ICT products and systems. It aims towards creating a safe and reliable computing environment through the provision of ICT security evaluation.

MySEF strengths in ICT Security Evaluation & Testing Services:

Accredited/Licensed Laboratory

CyberSecurity Malaysia MySEF is an accredited laboratory under the Laboratory Scheme Accreditation of Malaysia (SAMM), which meets the requirements of MS ISO/IEC 17025.

Our lab has sufficient equipment to carry out most ICT products and system evaluations. We are currently venturing into smart card testing equipment such as probing and analysis to perform SPA and DPA.

Our lab can cater for small to medium sized products such as software-based products (e.g. web applications), firewall appliances and others.

MySEF Services:

1. Common Criteria (CC) Evaluation Service (up to EAL 4)

ICT product evaluation on the product security features against Common Criteria standard - a set of functional and assurance claims using MS-ISO/IEC 15408 Common Criteria (CC) and MS-lSO/lEC 18045 Common Evaluation Methodology (CEM)

Involves two major processes: product evaluation and product certification. Product needs to be evaluated by CC laboratory (CyberSecurity Malaysia MySEF or other licensed lab) first before being certified by certification body. For more details on certification process, refer to MyCC website.

Certification provides independent validity of the evaluation results confirmation and a level of confidence in the security functionality provided by a ICT product

Another evaluation that is offered under this service is Protection Profile (PP) evaluation. PP is an implementation independent set of security requirements to determine whether they solve a stated security problem. This evaluation provides customers with validated security requirements to support selection and procurement of ICT products.

IPSA is adapting ISO/IEC 15408 Common Criteria (CC) and ISO/IEC 18045 Common Evaluation Methodology (CEM), any relevant Malaysian Standards (MS) or common uses of best practices/reference test methods.

ICT product that has been evaluated under IPSA Service will be issued a notification letter that is recognized locally in Malaysia.

End-User can make a comparison between other products in the marketplace that without the CC

Improve the management of technology risks

Reduce the risk of reputational damage to their organization

Application

Common Criteria Evaluation Application Process

Pitching Session

This includes a product demo or product technical presentation in terms of its security features by a client. CyberSecurity Malaysia MySEF will score the product using the MySEF Evaluation Project Acceptance Form. During this presentation, we will have a discussion on the security features of the product, scope of evaluation, the Evaluation Assurance Level (EAL) that is required, whether the product is completed or under development, product documentation and commitment towards the evaluation process

If the score meets the requirement to proceed with evaluation, we will proceed with developing a business proposal, describing the evaluation process, price, timeline and deliverables by both parties

If the client accepts the proposal, the client will sign the acceptance form in the business proposal and revert to CyberSecurity Malaysia MYSEF

CyberSecurity Malaysia MySEF will proceed with preparing the Service Level Agreement (SLA) to be signed by both parties. Once completed, client is required to submit a purchase order and CyberSecurity Malaysia will issue an invoice

During the legal and finance process, the client can start preparing the Security Target (ST) document which is a crucial document to begin evaluation and submit it to CyberSecurity Malaysia MySEF. For a sample of the stated Security Target (ST), one can refer to the publicly available security targets on the Internet or at the MyCC website

CyberSecurity Malaysia MySEF will review the ST and proceed with an evaluation proposal to the Malaysian Common Criteria Certification Body (MyCB) to start the technical evaluation on the client's product.

Similar to Common Criteria evaluation application process; except that the client is not required to develop a Security Target.

Please contact the lab manager for more information

Additional Information

Evaluation Assurance Level (EAL), Duration and Fee

Currently we are offering Evaluation Assurance Level (EAL) EAL1 up to EAL4+ augmented.

Duration for evaluation may take three months and above, depending on Evaluation Assurance Level (EAL) that the client chooses and the client's commitment towards such evaluation.

Evaluation fee will depend on the scope, complexity of the Target of Evaluation (TOE) and Security Features Requirements (SFRs). The cost will be higher if specialized testing under AVA and ATE is needed. If the testing requires access to specialized test equipment or facility, then we will partner with other CC labs and any direct costs incurred by CyberSecurity Malaysia will be passed on to the client.

The quoted fee is based on the assumption that there is no major evaluation observation reports (EOR) raised throughout the evaluation process and the iteration is not more than two times.

Training

CyberSecurity Malaysia MySEF is able to provide evaluator training and developer training for developing Common Criteria documentations and relevant scope of training modules that may be required by a client. The language for the training content can either be in Malay or English

Site Visit

Site visits by CyberSecurity Malaysia MySEF will be conducted within the evaluation execution period. Cost for the first site visit will be covered but additional site visits to resolve EOR will be needed and it is chargeable.

The Common Criteria project was initiated to harmonize the ITSEC, CTCPEC (Canadian criteria) and the US Draft Federal Criteria (FC) and TCSEC (Orange Book) into a Common Criteria for Information Technology Security Evaluation (CC) for use in evaluating products and systems; and for stating security requirements in a standardized way. Its aim is to replace national and regional criteria with a worldwide set of standards. The CC has seven assurance levels, however, only the Common Criteria Recognition Agreement (CCRA) recognizes only the first four. The Assurance Level Page contains detailed information about the seven CC levels.

Assurance Levels

The CC has seven assurance levels: from EAL1 (the lowest) to EAL7 (the highest). At present, only assurance levels up to EAL4 have been incorporated within the international Common Criteria Recognition Agreement (CCRA). The seven CC levels are described below.

Level

Purpose

EAL1

Functionally Tested. Provides analysis of the security functions, using a functional and interface specification of the TOE, to understand the security behavior. The analysis is supported by independent testing of the security functions.

EAL2

Structurally Tested. Analysis of the security functions using a functional and interface specification and high-level design of the subsystems of the TOE. Independent testing of the security functions, evidence of developer "black box" testing, and evidence of a development search for obvious vulnerabilities.

EAL3

Methodically Tested and Checked. The analysis is supported by "grey box" testing, selective independent confirmation of the developer test results, and evidence of a developer search for obvious vulnerabilities. Development environment controls and TOE configuration management are also required.

EAL4

Methodically Designed, Tested and Reviewed. Analysis is supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for obvious vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.

EAL5

Semi Formally Designed and Tested. Analysis includes all of the implementation. Assurance is supplemented by a formal model and a semiformal presentation of the functional specification and high level design, and a semiformal demonstration of correspondence. The search for vulnerabilities must ensure relative resistance to penetration attacks. Covert channel analysis and modular designs are also required.

EAL6

Semi Formally Verified Design and Tested. Analysis is supported by a modular and layered approach to design, and a structured presentation of the implementation. The independent search for vulnerabilities must ensure high resistance to penetration attack. The search for covert channels must be systematic. Development environment and configuration management controls are further strengthened.

EAL7

Formally Verified Design and Tested. The formal model is supplemented by a formal presentation of the functional specification and high-level design showing correspondence. Evidence of developer "white box" testing and complete independent confirmation of developer test results are required. Complexity of the design must be minimised.

Certified Product Register

Common Criteria Product List

The listing contains products with:

Status "Certified" - Have completed Common Criteria evaluation and certification